diff --git a/proposals/issuerTokens.png b/proposals/issuerTokens.png new file mode 100644 index 0000000..1f4ebdf Binary files /dev/null and b/proposals/issuerTokens.png differ diff --git a/proposals/networkTokens.png b/proposals/networkTokens.png new file mode 100644 index 0000000..0f07879 Binary files /dev/null and b/proposals/networkTokens.png differ diff --git a/proposals/tokenized_cards.html b/proposals/tokenized_cards.html index 7d77562..01d2f57 100644 --- a/proposals/tokenized_cards.html +++ b/proposals/tokenized_cards.html @@ -88,8 +88,17 @@

Introduction

This specification is a Payment Transaction Message Specification used by the PaymentRequest API - [[!PAYMENTREQUESTAPI]] to support payment by tokenized payment cards. Merchants should favor tokenized card payment methods over basic card payments. + [[!PAYMENTREQUESTAPI]] to support payment by tokenized payment cards. Tokenization provides some advantages over traditional card payments - tokenized credentials are often narrowly scoped, for example single-use or merchant/amount/time scoped. Tokenized credentials also help alleviate some concerns about merchant data breaches since the merchant does not have the raw PAN. This provides some additional security for a consumer.

+

+ This specification covers issuer and network tokens, but does not encompass all types of tokenization. As an example, gateway tokens are not covered by this specification since they often require merchant onboarding with the token provider. Network tokens are tokens (typically single-use) provided by card networks (i.e. Visa/MasterCard/American Express/Discover/etc.). These tokens are a representation of the underlying PAN. With issuer tokens, a provider serves as a card issuer by generating a new card number. This new card number is backed by the original PAN or by another funding source. During charging of these tokens, the provider translates the generated card number back into the original PAN or original funding source. +

+ +

The flow of issuer tokens is shown in the diagram below:

+ + +

The flow of network tokens is shown in the diagram below:

+
@@ -119,105 +128,73 @@

Dependencies

Payment Method Identifier

-

The following payment method identifier strings are supported by the Tokenized Card Payment data formats.

- - - - -
Identifier StringDescription
urn:payment-method:tokenized-card-payment:networkNetwork Tokenized Cards
urn:payment-method:tokenized-card-payment:issuerIssuer Tokenized Cards
-

- The payment method can be further specified by using the optional supportedTokenTypes data attribute. - Payment Mediators will take the supported token types into consideration when presenting Payment Apps to the user. -

+

The payment method identifier string for the Tokenized Card Payment method is card-token.

-
+

Payment Method Specific Data for the PaymentRequest constructor

This section describes payment method specific data that is supplied as part of the data - argument to the PaymentRequest constructor.

+ argument to the PaymentRequest constructor.

+ +
+

TokenCardRequest

-        dictionary TokenizedCardSpecificData  {
-          required sequence<DOMString> supportedTokenTypes;
-          DOMString? merchantID;
+        enum TokenCardType { "emv", "issuer" };
+
+        dictionary TokenCardRequest {
+          sequence<DOMString> supportedNetworks;
+          sequence<TokenCardType> supportedTypes;
         };
+

- The TokenizedCardSpecificData dictionary contains the following fields: + The TokenCardRequest dictionary contains the following fields:

-
supportedTokenTypes
-
The supportedTokenTypes specifies which network or issuer token providers you support. +
supportedNetworks
+
The supportedNetworks field contains a sequence of identifiers for card networks + that the merchant accepts.
+
supportedTypes
+
The supportedTypes field contains a sequence of token card types that the merchant + accepts. Implementations will determine how to match the type values emv, + and issuer.
-
- Apps that provide tokenization will likely prefer to encrypt the response data with the merchant's public key. How/should that be specified in the input data? -
- -
- The exact list of supported token types and how this list is updated needs thought. -
- -

As an example, you might construct a Payment Request with supported payment methods as follows:

+

+ The supportedNetworks and supportedTypes fields are both optional. + If neither is provided then any card may be returned. If only supportedNetworks + is provided then any card type may be returned provided it matches one of the networks. + If only supportedTypes is provided then a card may be returned from any network + provided it matches one of the types. It is expected that supportedTypes will be an evolving list. +

- 
-        var supportedMethods = [{
-          supportedMethods: ['urn:payment-method:tokenized-card-payment:issuer'],
-          data: {
-            supportedTokenTypes: ['roypay'],
-          },
-        }];
-
+

Payment Method Response

-

The TokenizedCardResponse dictionary contains the response from the - PaymentRequest API when a user accepts payment with a Tokenized Payment Card payment method.

+

+ The TokenizedCardResponse dictionary contains the response from the PaymentRequest API when a user accepts payment with a Tokenized Payment Card payment method. The intention is for this to extend from the BasicCardResponse with some additional fields required for tokenization. It should be noted that the "cardSecurityCode" from the BasicCardResponse will contain a card security code for issuer-based tokens, but will contain the cryptogram for network tokens. The combination of cardNumber (the token number) + cardSecurityCode (either cryptogram or security code) establishes a one-time use credential. + 

-        dictionary TokenizedCardResponse {
-            DOMString          cardholderName;
+        dictionary TokenizedCardResponse: BasicCardResponse {
             required DOMString          cardLast4;
-            DOMString          cardType;
             DOMString          tokenType;
-            required DOMString          tokenNumber;
-            required DOMString          expiryMonth;
-            required DOMString          expiryYear;
-            DOMString        tokenCryptogram;
             DOMString        tokenRequesterId;
-            BillingAddress?  billingAddress;
         };
-
- The response should be broken into two different response types, - one network tokens and one issuer tokens respectively. -
-

The TokenizedCardResponse dictionary contains the following fields:

-
cardholderName
-
The cardholderName field contains the cardholder's name as it appears on the card.
cardLast4
-
The cardLast4 field contains the last 4 digits of the original (non-token) primary account number (PAN) for the payment card.
-
cardType
-
The cardType field contains the type (Visa, Mastercard, etc.) of the original (non-token) payment card.
+
The cardLast4 field contains the last 4 digits of the original (non-token) primary account number (PAN) for the payment card. This may be used for display purposes during the purchase.
tokenType
The tokenType field contains the type (Network, Issuer) of token.
-
tokenNumber
-
The tokenNumber field contains the token number for the payment card.
-
expiryMonth
-
The expiryMonth field contains a two-digit string for the expiry month - of the token in the range 01 to 12.
-
expiryYear
-
The expiryYear field contains a two-digit string for the expiry year - of the token in the range 00 to 99.
-
tokenCryptogram
-
The tokenCryptogram field contains the cryptogram for the token. The cryptogram+token combination establishes a one time use credential. For issuer tokenization, this field should be a CVV.
tokenRequesterId
The tokenRequesterId field contains ID of the requester of the token (likely the creator of the payment app). This field is only applicable to network tokenization.